void create_jwt(const char *json_key_file_path, const char *service_url,
const char *scope) {
grpc_auth_json_key key;
char *jwt;
grpc_slice json_key_data;
GPR_ASSERT(GRPC_LOG_IF_ERROR(
"load_file", grpc_load_file(json_key_file_path, 1, &json_key_data)));
key = grpc_auth_json_key_create_from_string(
(const char *)GRPC_SLICE_START_PTR(json_key_data));
grpc_slice_unref(json_key_data);
if (!grpc_auth_json_key_is_valid(&key)) {
fprintf(stderr, "Could not parse json key.\n");
exit(1);
}
jwt = grpc_jwt_encode_and_sign(
&key, service_url == NULL ? GRPC_JWT_OAUTH2_AUDIENCE : service_url,
grpc_max_auth_token_lifetime(), scope);
grpc_auth_json_key_destruct(&key);
if (jwt == NULL) {
fprintf(stderr, "Could not create JWT.\n");
exit(1);
}
fprintf(stdout, "%s\n", jwt);
gpr_free(jwt);
}
/* Takes ownership of creds_path if not NULL. */
static grpc_error *create_default_creds_from_path(
grpc_exec_ctx *exec_ctx, char *creds_path, grpc_call_credentials **creds) {
grpc_json *json = NULL;
grpc_auth_json_key key;
grpc_auth_refresh_token token;
grpc_call_credentials *result = NULL;
grpc_slice creds_data = grpc_empty_slice();
grpc_error *error = GRPC_ERROR_NONE;
if (creds_path == NULL) {
error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("creds_path unset");
goto end;
}
error = grpc_load_file(creds_path, 0, &creds_data);
if (error != GRPC_ERROR_NONE) {
goto end;
}
json = grpc_json_parse_string_with_len(
(char *)GRPC_SLICE_START_PTR(creds_data), GRPC_SLICE_LENGTH(creds_data));
if (json == NULL) {
error = grpc_error_set_str(
GRPC_ERROR_CREATE_FROM_STATIC_STRING("Failed to parse JSON"),
GRPC_ERROR_STR_RAW_BYTES, grpc_slice_ref_internal(creds_data));
goto end;
}
/* First, try an auth json key. */
key = grpc_auth_json_key_create_from_json(json);
if (grpc_auth_json_key_is_valid(&key)) {
result =
grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
exec_ctx, key, grpc_max_auth_token_lifetime());
if (result == NULL) {
error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"grpc_service_account_jwt_access_credentials_create_from_auth_json_"
"key failed");
}
goto end;
}
/* Then try a refresh token if the auth json key was invalid. */
token = grpc_auth_refresh_token_create_from_json(json);
if (grpc_auth_refresh_token_is_valid(&token)) {
result =
grpc_refresh_token_credentials_create_from_auth_refresh_token(token);
if (result == NULL) {
error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
"grpc_refresh_token_credentials_create_from_auth_refresh_token "
"failed");
}
goto end;
}
end:
GPR_ASSERT((result == NULL) + (error == GRPC_ERROR_NONE) == 1);
if (creds_path != NULL) gpr_free(creds_path);
grpc_slice_unref_internal(exec_ctx, creds_data);
if (json != NULL) grpc_json_destroy(json);
*creds = result;
return error;
}
static void test_parse_json_key_failure_no_private_key(void) {
const char no_private_key_json_string[] =
"{ \"private_key_id\": \"e6b5137873db8d2ef81e06a47289e6434ec8a165\", "
"\"client_email\": "
"\"[email protected]."
"com\", \"client_id\": "
"\"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent."
"com\", \"type\": \"service_account\" }";
grpc_auth_json_key json_key =
grpc_auth_json_key_create_from_string(no_private_key_json_string);
GPR_ASSERT(!grpc_auth_json_key_is_valid(&json_key));
grpc_auth_json_key_destruct(&json_key);
}
static void test_parse_json_key_failure_no_private_key_id(void) {
const char no_private_key_id_part3[] =
"\"client_email\": "
"\"[email protected]."
"com\", \"client_id\": "
"\"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent."
"com\", \"type\": \"service_account\" }";
char *json_string = test_json_key_str(no_private_key_id_part3);
grpc_auth_json_key json_key =
grpc_auth_json_key_create_from_string(json_string);
GPR_ASSERT(!grpc_auth_json_key_is_valid(&json_key));
gpr_free(json_string);
grpc_auth_json_key_destruct(&json_key);
}
grpc_credentials *grpc_jwt_credentials_create_from_auth_json_key(
grpc_auth_json_key key, gpr_timespec token_lifetime) {
grpc_jwt_credentials *c;
if (!grpc_auth_json_key_is_valid(&key)) {
gpr_log(GPR_ERROR, "Invalid input for jwt credentials creation");
return NULL;
}
c = gpr_malloc(sizeof(grpc_jwt_credentials));
memset(c, 0, sizeof(grpc_jwt_credentials));
c->base.type = GRPC_CREDENTIALS_TYPE_JWT;
gpr_ref_init(&c->base.refcount, 1);
c->base.vtable = &jwt_vtable;
c->key = key;
c->jwt_lifetime = token_lifetime;
gpr_mu_init(&c->cache_mu);
jwt_reset_cache(c);
return &c->base;
}
static void test_jwt_verifier_url_issuer_success(void) {
grpc_jwt_verifier *verifier = grpc_jwt_verifier_create(NULL, 0);
char *jwt = NULL;
char *key_str = json_key_str(json_key_str_part3_for_url_issuer);
grpc_auth_json_key key = grpc_auth_json_key_create_from_string(key_str);
gpr_free(key_str);
GPR_ASSERT(grpc_auth_json_key_is_valid(&key));
grpc_httpcli_set_override(httpcli_get_openid_config,
httpcli_post_should_not_be_called);
jwt =
grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime, NULL);
grpc_auth_json_key_destruct(&key);
GPR_ASSERT(jwt != NULL);
grpc_jwt_verifier_verify(verifier, NULL, jwt, expected_audience,
on_verification_success, (void *)expected_user_data);
gpr_free(jwt);
grpc_jwt_verifier_destroy(verifier);
grpc_httpcli_set_override(NULL, NULL);
}
grpc_credentials *grpc_service_account_credentials_create(
const char *json_key, const char *scope, gpr_timespec token_lifetime) {
grpc_service_account_credentials *c;
grpc_auth_json_key key = grpc_auth_json_key_create_from_string(json_key);
if (scope == NULL || (strlen(scope) == 0) ||
!grpc_auth_json_key_is_valid(&key)) {
gpr_log(GPR_ERROR,
"Invalid input for service account credentials creation");
return NULL;
}
c = gpr_malloc(sizeof(grpc_service_account_credentials));
memset(c, 0, sizeof(grpc_service_account_credentials));
init_oauth2_token_fetcher(&c->base, service_account_fetch_oauth2);
c->base.base.vtable = &service_account_vtable;
c->scope = gpr_strdup(scope);
c->key = key;
c->token_lifetime = token_lifetime;
return &c->base.base;
}
static void test_jwt_verifier_custom_email_issuer_success(void) {
grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT;
grpc_jwt_verifier *verifier = grpc_jwt_verifier_create(&custom_mapping, 1);
char *jwt = NULL;
char *key_str = json_key_str(json_key_str_part3_for_custom_email_issuer);
grpc_auth_json_key key = grpc_auth_json_key_create_from_string(key_str);
gpr_free(key_str);
GPR_ASSERT(grpc_auth_json_key_is_valid(&key));
grpc_httpcli_set_override(httpcli_get_custom_keys_for_email,
httpcli_post_should_not_be_called);
jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime,
NULL);
grpc_auth_json_key_destruct(&key);
GPR_ASSERT(jwt != NULL);
grpc_jwt_verifier_verify(&exec_ctx, verifier, NULL, jwt, expected_audience,
on_verification_success, (void *)expected_user_data);
gpr_free(jwt);
grpc_jwt_verifier_destroy(verifier);
grpc_httpcli_set_override(NULL, NULL);
grpc_exec_ctx_finish(&exec_ctx);
}
static void validate_jwt_encode_and_sign_params(
const grpc_auth_json_key *json_key, const char *scope,
gpr_timespec token_lifetime) {
GPR_ASSERT(grpc_auth_json_key_is_valid(json_key));
GPR_ASSERT(json_key->private_key != NULL);
GPR_ASSERT(RSA_check_key(json_key->private_key));
GPR_ASSERT(json_key->type != NULL &&
strcmp(json_key->type, "service_account") == 0);
GPR_ASSERT(json_key->private_key_id != NULL &&
strcmp(json_key->private_key_id,
"e6b5137873db8d2ef81e06a47289e6434ec8a165") == 0);
GPR_ASSERT(json_key->client_id != NULL &&
strcmp(json_key->client_id,
"777-abaslkan11hlb6nmim3bpspl31ud.apps."
"googleusercontent.com") == 0);
GPR_ASSERT(json_key->client_email != NULL &&
strcmp(json_key->client_email,
"777-abaslkan11hlb6nmim3bpspl31ud@developer."
"gserviceaccount.com") == 0);
if (scope != NULL) GPR_ASSERT(strcmp(scope, test_scope) == 0);
GPR_ASSERT(!gpr_time_cmp(token_lifetime, grpc_max_auth_token_lifetime));
}
static void test_parse_json_key_success(void) {
char *json_string = test_json_key_str(NULL);
grpc_auth_json_key json_key =
grpc_auth_json_key_create_from_string(json_string);
GPR_ASSERT(grpc_auth_json_key_is_valid(&json_key));
GPR_ASSERT(json_key.type != NULL &&
strcmp(json_key.type, "service_account") == 0);
GPR_ASSERT(json_key.private_key_id != NULL &&
strcmp(json_key.private_key_id,
"e6b5137873db8d2ef81e06a47289e6434ec8a165") == 0);
GPR_ASSERT(json_key.client_id != NULL &&
strcmp(json_key.client_id,
"777-abaslkan11hlb6nmim3bpspl31ud.apps."
"googleusercontent.com") == 0);
GPR_ASSERT(json_key.client_email != NULL &&
strcmp(json_key.client_email,
"777-abaslkan11hlb6nmim3bpspl31ud@developer."
"gserviceaccount.com") == 0);
GPR_ASSERT(json_key.private_key != NULL);
gpr_free(json_string);
grpc_auth_json_key_destruct(&json_key);
}
/* Takes ownership of creds_path if not NULL. */
static grpc_call_credentials *create_default_creds_from_path(char *creds_path) {
grpc_json *json = NULL;
grpc_auth_json_key key;
grpc_auth_refresh_token token;
grpc_call_credentials *result = NULL;
gpr_slice creds_data = gpr_empty_slice();
int file_ok = 0;
if (creds_path == NULL) goto end;
creds_data = gpr_load_file(creds_path, 0, &file_ok);
if (!file_ok) goto end;
json = grpc_json_parse_string_with_len(
(char *)GPR_SLICE_START_PTR(creds_data), GPR_SLICE_LENGTH(creds_data));
if (json == NULL) goto end;
/* First, try an auth json key. */
key = grpc_auth_json_key_create_from_json(json);
if (grpc_auth_json_key_is_valid(&key)) {
result =
grpc_service_account_jwt_access_credentials_create_from_auth_json_key(
key, grpc_max_auth_token_lifetime());
goto end;
}
/* Then try a refresh token if the auth json key was invalid. */
token = grpc_auth_refresh_token_create_from_json(json);
if (grpc_auth_refresh_token_is_valid(&token)) {
result =
grpc_refresh_token_credentials_create_from_auth_refresh_token(token);
goto end;
}
end:
if (creds_path != NULL) gpr_free(creds_path);
gpr_slice_unref(creds_data);
if (json != NULL) grpc_json_destroy(json);
return result;
}
